Windows 7 machines prompt new election security worries

By Derek B. Johnson

Aug 19, 2019

As states are phasing out their paperless voting machines, they face another fundamental security hurdle. Many electronic pollbooks, voter registration systems and election management applications run on Windows 7, a nearly obsolete operating system that will be expensive and time consuming to replace.

Election security officials warned that that a lack of money and resources as well as technical and logistical hurdles are preventing them from migrating their election systems from the Windows 7 operating system to Windows 10.

Speaking at an Aug. 15 election security forum hosted by the U.S. Election Assistance Commission (EAC) Lousiana Secretary of State Kyle Ardoin said his state will have spent more than $250,000 to replace computers using Windows 7 in clerks of court and voter registration offices. An additional $2 million has been spent to temporarily lease voting machines that require Windows 10 while the state waits for a new batch to go through the procurement process.

He estimated the cost of updating to Windows 10 to be around $670 per machine, not including the costs associated with testing, configuration and deployment.

Apart from causing technical conflicts when their elections systems communicate with the state's legacy voting machines, Windows 7 is also inching closer to its end of life, with Microsoft announcing it will stop supporting updates for the system entirely in January 2020.

The problem extends well beyond Louisiana, as a recent Associated Press investigation this year found that the "vast majority" of election jurisdictions in the U.S. are still using Windows 7 or older operating systems to program voting machines, create ballots, tally votes and report on election results.

Ginny Badanes, director of strategic projects for Microsoft's Defending Democracy Program, told the commission that her company would continue supporting Windows 7 through the 2020 election for an additional fee, but said the cost and other details are still being worked out

"We are committed to helping customers remain secure as they modernize systems and move to Windows 10," she said. "Some customers will need more time, [and] we will offer extended security updates for some."

There are other logistical and bureaucratic complications that make it difficult for states and localities to update and patch election and voting systems in a timely fashion. Perhaps most crucial: the EAC is still mulling whether patching the software of a voting machine would require new certification under EAC standards. That would introduce delays and perhaps keep election officials from implementing updates that "break" the certification of their machines.

"In our perception this is a lack of clarity about if and how a security update could be applied without triggering recertification," said Badanes. "We should stop giving administrators the choice of using systems with known vulnerabilities or applying security patches and taking their systems out of certification."

Ardoin said vendors had told him that while they can force updates, doing so could wreak havoc on functionality or cause those systems to fall out of certification. This puts officials in a seemingly no-win scenario the closer they get to Election Day -- forced to choose between having secure systems and fielding any machines at all when voters head to the polls.

"We need to balance the need for certification with the imminent security needs of election officials on the ground, where time and resources are truly of essence," Kentucky State Election Director Jared Dearing said.

Ardoin lobbied for Congress to provide more funding to states, but like some other secretaries of state, he said that those funds should not come with any additional mandates, arguing that states can be trusted to take their own unique path to an improved election security posture.

"What we would hope for is if the federal government does make additional resources, it's necessary that there be no strings attached, [because] each state is different," he said.

Nearly all of the election security funding bills proposed by Congress over the past two years have specified some form of mandates on states, such as restrictions on buying voting machines without auditable paper trails, implementing risk limiting audits or other requirements.

Proponents of such mandates point to states like Georgia and Texas, where officials have used pots of new money in recent years to purchase new paperless direct recording electronic voting machines or ballot marking devices, as examples of how some states will simply repeat the same mistakes of the past if given complete autonomy over the funds. Both DRE and BMD machines are viewed as less secure, less auditable alternatives to optical scanning devices, though BMD machines are also considered one of the only viable voting equipment for disabled voters.

Intelligence officials continue to identify voting infrastructure as a target for state-sponsored hackers and other bad actors heading into the 2020 election. EAC Commissioner Thomas Hicks expressed confidence that the country was better prepared, but quoted former heavyweight boxing champion Mike Tyson in warning that "everyone has a plan until they get punched in the mouth."

"We all have our plans ready, but I think there's going to be a lot of swings at us," said Hicks.

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.